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Abstract 

In recent years, several protocols for password-based authenticated key exchange 
have been proposed. These protocols aim to be secure even though the sample 
space of passwords may be small enough to be enumerated by an off-line adversary. 
In Eurocrypt 2000, Bellare, Pointcheval and Rogaway (BPR) presented a model and 
security definition for authenticated key exchange. They claimed that in the ideal- 
cipher model (random oracles) , the two-flow protocol at the core of Encrypted Key 
Exchange (EKE) is secure. Bellare and Rogaway suggested several instantiations of 
the ideal cipher in their proposal to the IEEE P1363.2 working group. Since then 
there has been an increased interest in proving the security of password-based pro- 
tocols in the ideal-cipher model. For example, Bresson, Chevassut, and Pointcheval 
have recently showed that the OEKE protocol is secure in the ideal cipher model. 
In this paper, we present examples of real (NOT ideal) ciphers (including naive 
implementations of the instantiations proposed to IEEE P1363.2) that would result 
in broken instantiations of the idealized AuthA protocol and OEKE protocol. Our 
result shows that the AuthA protocol can be instantiated in an insecure way, and 
that there are no well defined (let alone rigorous) ways to distinguish between secure 
and insecure instantiations. Thus, without a rigorous metric for ideal-ciphers, the 
value of provable security in ideal cipher model is limited. 



Key words: Password-based key agreement, dictionary attacks, AuthA, EKE. 



Email addresses: zhaozhu@hxu.edu.cn (Zhu Zhao), dongzha03@st.lzu.edu.cn 
(Zhongqi Dong), yonwang@uncc.edu (Yongge Wang). 



Preprint submitted to Theoretical Computer Science 



24 July 2012 



1 Introduction 



Numerous cryptographic protocols rely on passwords selected by users (peo- 
ple) for strong authentication. Since the users find it inconvenient to remember 
long passwords, they typically select short easily-rememberable passwords. In 
these cases, the sample space of passwords may be small enough to be enumer- 
ated by an adversary thereby making the protocols vulnerable to a dictionary 
attack. It is desirable then to design password-based protocols that resist off- 
line dictionary attacks. 

The password-based protocol problem was first studied by Gong, Lomas, Need- 
ham, and Saltzer [10] who used public-key encryption to guard against off-line 
password-guessing attacks. In another very influential work [2J, Bellovin and 
Merritt introduced Encrypted Key Exchange (EKE), which became the ba- 
sis for many of the subsequent works in this area. These protocols include 
SPEKE [13] and SRP [25|26] . Other papers addressing the above protocol 
problem can be found in [7f9|llfl6j . Bellare, Pointcheval, and Rogaway [2] 
defined a model for the password-based protocol problem and claimed that 
their model is rich enough to deal with password guessing, forward secrecy, 
server compromise, and loss of session keys. Then they claimed that in the 
ideal-cipher model (random oracles), the two-flow protocol at the core of En- 
crypted Key-Exchange (EKE) is secure. In addition, Bellare and Rogaway 
[3] suggested several instantiations (AuthA) of the ideal-cipher in their pro- 
posal to the IEEE P1363.2 Working Group. Recently, Bresson, Chevassut, and 
Pointcheval [8] proposed a simplified version of AuthA, which is called OEKE, 
and showed that OEKE achieves provable security against dictionary attacks 
in both the random oracle and ideal-cipher models under the computational 
Diffie-Hellman intractability assumption. 

The ideal-cipher model was introduced by Bellare, Pointcheval, and Rogaway 
[2] as follows. Fix finite sets of strings Q and C where \Q\ = \C\. In the ideal- 
cipher model, choosing a random function h from Q amounts to giving the 
protocol (and the adversary) a perfect way to encipher strings in Q: namely, 
for K G {0, 1}*, we set '■ G — > C to be a random bijective function, and we 
let V K : {0, 1}* — ¥ Q defined by T> K (y) be the value x such that £r{x) = y, if 
y e C, and undefined otherwise. 

This paper studies the security issues with practical realization of the ideal ci- 
pher model by Bellare, Pointcheval, and Rogaway [2J. We show that for several 
instantiations of the ideal-cipher (including naive implementations of instan- 
tiations suggested in p2]), the instantiated Bellare and Rogaway's protocol 
(AuthA) is not secure against off-line dictionary attacks. Our results show 
that realizing the ideal-cipher of Bellare, Pointcheval, and Rogaway can be 
tricky. In particular, our results point out the weakness in the ideal-cipher 
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methodology of Bellare, Pointcheval, and Rogaway. That is, without a robust 
measuring method for deciding whether a given cipher is a "good realiza- 
tion" of the ideal-cipher, ideal-cipher model analysis [2"fg] of a password-based 
protocol can be of limited value. Indeed, there is no well defined (let alone 
rigorous) way in [2] to distinguish between secure and insecure instantiations 
of an ideal-cipher. Note that Black and Rogaway j5] have done some initial 
research on the potential implementations of ideal-ciphers with arbitrary finite 
domains. However, it is still far from a complete solution. 

One of the main applications of password-based protocols is in the environ- 
ment of wireless and other more constrained devices (e.g., secure downloading 
of private credentials: SACRED [20]). Elliptic Curve Cryptography (ECC) 
has been extensively used in these constrained devices. However, most of the 
suggested password-based protocols are described in the group (or subgroup 
of) Q = Z*, and are either non-friendly or non-secure for ECC-based groups. 
For example, SRP [2"of2"(3] is based on a field and used both field operations of 
addition and multiplication, but ECC groups only have one group operation. 
Several ECC-based SRP protocols have been introduced in Lee and Lee [Lf] . 
We will show that one of these protocols is completely insecure. We will also 
discuss the security issues related ECC-based SRP protocols. As an example, 
we will also present a variant SRP5 of the original SRP protocol. 

The organization of the paper is as follows: In Section [2] we informally address 
the security problems of password-based protocols. We mount attacks on sev- 
eral instantiations of Bellare, Pointcheval, and Rogaway's AuthA protocol and 
on instantiations of Bresson, Chevassut, and Pointcheval's OEKE protocol in 
Sections |3] and H] respectively. In Section [5] we briefly discuss instantiations of 
OEKE and the SRP protocol. We draw our conclusions in Section 



2 Security of password authentication 

Halevi and Krawczyk [TTj Sections 2.2-2.3] introduced a notion of security for 
password authentication. They provide a list of basic attacks that a password- 
based protocol needs to guard against. In the following, we provide the list 
of attacks. An ideal password protocol should be secure against these attacks 
and we will follow these criteria when we discuss the security of password 
protocols. 

• Eavesdropping. The attacker may observe the communications channel. 

• Replay. The attacker records messages she has observed and re-sends them 
at a later time. 

• Man-in-the-middle. The attacker intercepts the messages sent between 
the parties C and S and replaces these with her own messages. She plays 
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the role of the client in the messages which it sends to the server, and at 
the same time plays the role of the server in the messages that she sends to 
the client. A special man- in-the- middle attack is the small subgroup attack 
[To1ll8f23j . We illustrate this kind of attack by a small example. Let g be a 
generator of the group Q of order n = qt for some small t > 1. In a standard 
Diffie-Hellman key exchange protocol, the client C chooses a random x and 
sends g x to the server S, then S chooses a random y and sends g y to C. 
The shared key between C and S is g xy . Now assume that the attacker A 
intercepts Cs message g x , replaces it with g xq , and sends it to S. A also 
intercepts 5's message g y , replaces it with g yq , and sends it to C. In the end, 
both C and S compute the shared key g qxy . Since g qxy lies in the subgroup 
of order t of the group generated by g q , it takes on one of only t possible 
values. A can easily recover this g qxy by an exhaustive search. 

• Impersonation. The attacker impersonates the client or the server to get 
some useful information. 

• Password-guessing. The attacker is assumed to have access to a relatively 
small dictionary of words that likely includes the secret password a. In an 
off-line attack, the attacker records past communications and searches for a 
word in the dictionary that is consistent with the recorded communications. 
In an on-line attack, the attacker repeatedly picks a password from the 
dictionary and attempts to impersonate C or S. If the impersonation fails, 
the attacker removes this password from the dictionary and tries again, 
using a different password. 

• Partition attack. The attacker records past communications, then goes 
over the dictionary and deletes those words that are not consistent with 
the recorded communications from the dictionary. After several tries, the 
attacker's dictionary could become very small. 

We now informally sketch the definition of security in [TT] for a password- 
based protocol. The attacker A is allowed to watch regular runs of the protocol 
between the client C and the server S, and can also actively communicate with 
C and S in replay, impersonation, and man-in-the-middle attacks. A protocol 
is said to be secure in the presence of such an attacker if (i) whenever the server 
S accepts an authentication session with C, it is the case that C did indeed 
participate in the authentication session; and (ii) C accepts an authentication 
session with S, it is the case that S did indeed participate in the authentication 
session. 



3 Security issues with practical realizations of the ideal cipher 
model: on Bellare and Rogaway's AuthA 

In the remainder of this paper, we will use the following notations: By Q = (g), 
we denote a cyclic group generated by g, and by ord(g), we denote the order 
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of g. For a symmetric encryption scheme £ and a key 7r, ^(x) denotes the 
ciphertext of x. We also assume that the client C holds a password a and the 
server S holds a key j3 which is a known function of a. In a protocol for a 
symmetric model, the client and the server share the same password, that is, 
— a. In this paper, we will abuse our notation by letting C and S also denote 
corresponding parties' identification strings. In a protocol for an asymmetric 
model, P will typically be chosen so that it is hard to compute a from C, 
S, and /3. The password a might be a poor one. Probably the user selects 
some short easily-rememberable a and then installed /3 at the server. In the 
protocols, % is used to denote a secure hash function. We will also abuse our 
notation by using C (respectively, S) to denote the identity number of the 
client (respectively, the server). 



3.1 The AuthA protocol 

Bellare, Pointcheval, and Rogaway [2] defined a model for the password-based 
protocol problem and showed that their model is rich enough to deal with 
password guessing, forward secrecy, server compromise, and loss of session 
keys. Then they proved that in the ideal-cipher model (random oracles), the 
two-flow protocol at the core of Encrypted Key Exchange (EKE) is secure. In 
addition, Bellare and Rogaway [3] suggested several instantiations of the ideal- 
cipher in their proposal to IEEE P1363.2 working group. In the protocol, the 
server S stores the value (C, f3) for each client C where /3 = g a . The protocol 
proceeds as follows: 

(1) C chooses a random x G [1, ord(g) — 1], computes g x , encrypts it with /?, 
and sends the ciphertext £p(g x ) to the Server S. 

(2) S chooses a random y G [1, ord(g) — 1], computes g y , encrypts it with (3, 
and sends the ciphertext £/3{g y ) to C. 

(3) AuthA authentication steps. Let K = H{C\ \S\ \g x \ \g y \ \g xy ). Then there 
are three authentication methods for AuthA: 

(a) The server authenticates himself by sending 1-L(K\\2) to C. 

(b) The client authenticates himself by sending H(K\ \g ay ) to S. 

(c) Both server and client achieve mutual authentication by sending both 
of the messages in the above two steps 

The authors of [2] claimed that if the encryption function £ is given by an 
ideal-cipher (random oracle), then the first-two-step sub-protocol (of AuthA) 
at the core of EKE is provably secure in their model. In the following sections, 
we present examples of real (NOT ideal) ciphers (including two naive imple- 
mentations of the three instantiations proposed to IEEE P1363.2) that would 
result in broken instantiations of the idealized AuthA protocol. Indeed, in [2], 
the authors warn that "incorrect instantiation of the encryption primitive, 
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including instances which are quite acceptable in other contexts, can easily 
destroy the protocol's security". Our examples confirm this argument. 

3.2 Instantiation £ p (X) = X ■ g H ^ 

Assume that H is a random oracle. Bellare and Rogaway [5] suggested the 
instantiation £p{X) = X ■ of the ideal-cipher. Obviously, this is far from 
an ideal cipher. However, this misleading instantiation will give one impression 
that £p(X) = X ■ could also be a "reasonable" instantiation of the ideal- 
cipher. Indeed, one may wonder, if £p{X) = X ■ is an ideal cipher, why 
£p{X)=X-g H W is not? In the following, we will describe our attack on the 
two-step protocol with this instantiation £p(X) = X ■ g n ^\ 

No matter whether there is an authentication step (as in AuthA) or not, our 
attack works for the two-step protocol. If there is an authentication step, then 
the adversary A will launch impersonation attacks and use the authentication 
messages to verify whether the guessed password is a correct one. Without loss 
of generality, we assume that the server sends the first authentication message 
if any authentication message is ever sent between C and S (if the first authen- 
tication message is sent from client to server, then the following attack works 
when the adversary impersonate the server). If there is no authentication step, 
then the adversary could not check whether a guessed password is a correct 
one. However, in practice, the established session key will be used either to 
encrypt the actual data for the application protocol or to encrypt client's pri- 
vate credential (e.g., client's private key). In either case, the adversary A can 
verify whether the guessed password is a correct one by checking the redun- 
dancy in these encrypted data. Specifically, consider the following scenario. A 
impersonates the client, chooses a random z, and sends g z to the server. The 
server S chooses a random y, sends gy +H ^ to A, and computes the shared 
key K = n(C\\S\\g z - n{l3) \\g v \\g {z - nmy ). A distinguishes the following three 
cases: 

(1) This is an AuthA protocol and S sends T-L{K\\2) to A for authentication. 
For each guessed /?', A computes 

K' = U{C\ \S\ \g z ~ H ^ | \gV+'H1fi)-H1fi') | \ g {y+H^)-Hm){z-H{p'))Y 

Note that if /?' = 0, then K' = K and H(K\\2) = H(K'\\2). Thus A can 
decide whether (3' is the correct password. 

(2) S sends £k{iti) to A, where m is some application data and has sufficient 
redundancy. For each guessed (3', A computes K' as in the above item[T] 
and decrypts £k{tti) as m! = £K}{£ K {m)). If p' = (3, then K' = K and 
m! = m. Thus by checking the redundancy in m', A can decide whether 
she has guessed the password correctly. 
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(3) S sends £k{k) to A, where 7r is Cs private key encrypted with Cs pass- 
word a. Similarly, for each guessed a', A first computes 0', then com- 
putes K' as in the above item [T] and decrypts £k{k) as n' = £^}{£k{^))- 
If /3' = /3, then K' = K and n' = n. A further decrypts n' with a' to see 
whether the decrypted value is the private key of C Since A knows Cs 
public key, she can easily verify this fact. Thus, A can decide whether 
she has guessed the password correctly 

The above attack demonstrates the inherent weakness in the "ideal-cipher 
model methodology" by Bellare, Pointcheval, and Rogaway [2J. That is, with- 
out a robust measuring method for deciding whether a given cipher is a "good 
realization" , ideal-cipher model analysis of a password-based protocol can be 
of limited value. Indeed, there is no well defined (let alone rigorous) way in [2J 
to distinguish between secure and insecure instantiations of an ideal-cipher. 



3.3 Instantiation £p(X) =X-U{fi) 

The first ideal-cipher instantiation for AuthA in [3] is: £p{X) = X ■ H(f$). 
The authors suggested that the group Q = (g) could be a group on which the 
Diffie-Hellman problem is hard: 

...This group could be Q = Z*, or it could be a prime-order subgroup of this 
group, or it could be an elliptic curve group... (from [2J) 

After the introduction of the instantiation function, the authors [3] commented 
that "you apply the mask generation function Hto (3, interpret the result as a 
group element, and multiply by the plaintext". However, for most implemen- 
tations, one may ignore this comment and just multiply the hash result with 
the plaintext. Naively, one can also interpret the hash result as a group 

element . Then our attacks in Section 13.21 show that this instantiation 
is not secure. Indeed, from the ideal-cipher assumption, it is not clear that 
one needs to interpret the hash result as a group element other than g H ^\ 
One may feel that both X ■ 7i(f3) and X ■ g n w can be regarded as accept- 
able instantiations of the ideal cipher over Z* (why not?). In the following, we 
mount an off-line dictionary attack on this instantiation without interpreting 
the result as a group element. 

Our attack in Section 13.21 does not work for AuthA with this instantiation. 
However, we can show that this instantiation will leak some information of 
the password a if the group is a subgroup of Z* or an elliptic curve group. As 
an example, we illustrate the information leakage of AuthA with a subgroup 
of Z*. Assume that p = tq + 1 with gcd(t, q) = 1. In practice, generally one 
chooses p = 2q + 1 for some large prime q (see, e.g., [T?|). and ord(g) = q. 



7 



In the attack, the eavesdropper A intercepts the message g x ■'H(f3), computes 
(H(P)) q = {g x ■ U{P)y. For each guessed /?', A checks whether {U{P')) q = 
(H((3)) q . If the equation does not hold, then A deletes 0' from her dictionary. 
Since H is a random oracle, the value {%{x)) q is uniformly distributed over 
the set {gf, gl q , . . . , g'l} when x is chosen at random, where g\ is a generator 
of Z* That is, Z* = (gi). Thus, logt bits information of the password is 
leaked for each communication between the client and the server with different 
Diffie-Hellman parameters. Thus, after observations of communications 

between the client and the server with different Diffie-Hellman parameters, 
the adversary will recover the password with high probability. 

Despite the above attacks, we feel that AuthA could be securely instantiated 
by the cipher: £p(X) = X ■ i(7-L((3)), where H is a secure hash function and 
where i maps a random string to a group element of order ord(g) by "in- 
creasing" the random string one by one until reaching a group element with 
the above given property. This instantiation should work both for ECC based 
groups and for subgroups of Z*. But we would like to warn that we have not 
proved with reasonable assumptions that this is a secure instantiation of the 
ideal cipher. Of course, it has been proven [2] that if £p(X) = X ■ i(H(f3)) is 
an ideal cipher then the above instantiation is provable secure against off-line 
dictionary attacks. But we have no mechanisms to measure whether the above 
cipher is an ideal cipher. 



3.4 Instantiation £p{X) = (r,X ■ H{r\\f3)) 



The second ideal-cipher instantiation for AuthA in [3] is: £p{X) = (r, X ■ 
%(r||/3)), where r is independently chosen at random for each session. After 
the introduction of this instantiation, the authors [3] did not mention that 
the hash result H(r\\f3) should be interpreted as a group element before ap- 
plying the multiplication. However we assume that the authors have this in 
mind when they introduce this instantiation. But this again shows that a 
naive implementation may multiply the hashing result with X directly with- 
out interpreting it as a group element since £p(X) = (r, X • H(r\ \/3)) could be 
regarded as an acceptable ideal cipher. Indeed, the ideal cipher model does 
not address this tiny difference between the two implementations: interpreting 
the hashing result as a group element and not interpreting the hashing result 
as a group element. 

Indeed this instantiation without interpreting the hashing result as a group 
element is completely insecure against partition attacks if the underlying group 
is a subgroup of Z* or an elliptic curve group. The attack in Section 13.31 can 
be used to show that for each randomly chosen r, logt bits information of 
the password a is leaked. Thus after recording several communications with 
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different r, the adversary can recover a. 
3.5 Instantiation £p{X) by a cipher 

The third ideal-cipher instantiation for AuthA in [3] is simply a cipher, e.g., 
£p{X) = AESp(X). AuthA with this instantiation is not secure against par- 
tition attacks if the underlying group is a subgroup of Z* or an elliptic curve 
group. The insecurity of this instantiation has been observed by several au- 
thors, see, e.g., [HHIo] . 

Firstly we assume that the underlying group Q is a subgroup of Z*. The 
eavesdropper A tries to decrypt £p(g x ) and £p{g v ) with different guessed (3' 
(= g a ). If either of the decrypted value £p, (£p(g x )) or £7, (£p(g y )) is not 
an element of Q, then A knows that a' is not the correct password. Since 

£p{X) is an ideal cipher, only with probability (| |(/| |/2l p l) both S^^Ep^g*)) 

and £7, 1 (£p(g y )) are elements of Q, where \p\ and \\Q\\ denote the length of p 
in binary representation and the cardinality of Q respectively. Thus for each 
execution of the protocol, 2 log(2' p '/| \Q\ |) bits information of the password a 
is leaked. After recording several executions of the protocol, A recovers the 
password. 

Secondly assume that the underlying group Q is an elliptic curve group. For an 
elliptic curve group E a>b (F*) = (g) over the field F*, the element (x,y) G (g) 
is denoted by its x and y coordinates. For a random chosen x G F* the 
probability that there exists a y G F* such that (x, y) is a point on the curve 
is 1/2. Thus AuthA over elliptic curve groups with this instantiation is not 
secure against partition attacks. 



4 Security issues with ideal ciphers in one encryption key exchange 
OEKE 

Recently, Bresson, Chevassut, and Pointcheval [8] formally modeled the Au- 
thA protocol by the One- Encryption-Key- Exchange (OEKE): only one flow 
is encrypted (using either a symmetric-encryption primitive or a multiplica- 
tive function as the product of a Diffie-Hellman value with a hash of the 
password). The authors pointed out that the advantage of OEKE over the 
classical EKE, wherein the two Diffie-Hellman values are encrypted, is its eas- 
iness of integration. For example, in Transport Layer Security (TLS) protocol 
with password-based key-exchange cipher suits [2TH22] . 

OEKE is similar to AuthA except that the first message is not encrypted. In 
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particular, the protocol proceeds as follows: 

(1) C chooses a random x G [1, ord(g) — 1], computes g x and sends g x to the 
Server S. 

(2) S chooses a random y G [1, ord(g) — 1], computes g y , encrypts it with (3, 
and sends the ciphertext £${g v ) to C. 

(3) C computes Auth = |«S| and sends Auth to S. C also 
computes session key K = Ho(C\\S\\g x \\g y \\g xy ). 

(4) S verifies that the value Auth is correct and computes the session key 
similarly. 

Where T-Lq and T-L\ are two independent random oracles. The authors [S] show 
that the protocol OEKE achieves provable security against dictionary attacks 
in both the random oracle and ideal-cipher models under the computational 
Diffie-Hellman intractability assumption. The authors [8] also observed that a 
simple block-cipher could not be used for the instantiation of the ideal-cipher 
due to the partition attacks. 

The authors recommended two instantiations of the ideal cipher. In the first 
method which is essentially from [1], one encrypts the element, and re-encrypts 
the result, until one finally falls in the group Q. The second instantiation is 
the cipher £p(X) = X ■ 7i(f3) that we have discussed in Section [3731 That is 
(see [8]), "to instantiate the encryption primitive as the product of a Diffie- 
Hellman value with a hash of the password, as suggested in [3]". Obviously, 
if one dose not interpret the hashing output of password as a group element 
before applying the multiplication, then our attacks in Section 13.31 work for 
OEKE also. Thus we have the same concern for OEKE: the ideal cipher model 
does not directly address the issues of interpreting the hashing output as 
group elements. From the ideal cipher model viewpoints, the two instantiations 
(one with interpretation of group elements and one without interpretation of 
group elements) have no essential difference. However, one instantiation results 
in broken protocol. This observation strengthens our viewpoint: without a 
rigorous way to distinguish between secure and insecure instantiations of an 
ideal-cipher, the value of the provable security in ideal-cipher model is limited. 



5 Secure Remote Password protocol (SRP) 

If the underlying group Q in OEKE is indeed a finite field, then one can in- 
stantiate the ideal-cipher with £p(X) = X + (3 and obtain the Secure Remote 
Password protocol (SRP6) [251126] . But one needs to be careful that SRP pro- 
tocol uses different values for the keying material computation which achieves 
stronger security. In the SRP6 protocol, the server S stores the value (C, (3, s) 
for each client C, where (3 = g v , v = H(s\\C\\a), s is a random seed for C, and 
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H is a predetermined hash function. Assume that the underlying group for 
the protocol is Q = Z* = (g). Then the protocol proceeds as follows: 

(1) C sends his name C to the server S. 

(2) S sends s to C. 

(3) C chooses a random x £ [1, ord(g) — 1] and sends g x to 5. 

(4) 5 chooses a random y £ [1, ord(g) — 1] and sends 3/3 + g 4 ' to C. 

(5) Let u = n(g x \\3(3 + g y ). C sends M = n(g x \\3(3 + g y \\S) to S where 

(6) 5 verifies that M is correct and sends "HQ?*! |M| |S) to C. 

(7) C verifies that U{g x \\M\\S) is correct. 

(8) Let K = H(S). 

The role of u in SRP6 is to defeat an adversary A who may know /3. If A 
knows and w is fixed, she can impersonate C by sending g x ■ g~ vu = g x ~ uv 
instead of g x in the third step. Then gy( x ~ uv + uv ) = g x v ) an d X = 1-L(g xy ). Note 
that this additional value w in the SRP protocol achieves stronger security 
against stolen (3 while OEKE does not have this level of security. 

If we instantiate the ideal cipher in OEKE with £p(X) = X ■ z("H(/3)) and use 
the SRP6 shared secret computation method, then we get a natural general- 
ization of the SRP protocol, where % "appropriately" maps a random string 
to a group element of order ord(g). For example, if we define z(7i((3)) by the 
following procedure, then we get the SRP5 protocol [21] which is currently 
under standardization in the IEEE 1363.2 standard working group. 

(1) Let x = H(/3). 

(2) If x is a group element of order ord(g), then let = x. Otherwise, 
increase x by one and go to step (j2J). Note that the sentence "increase x by 
one" can be any natural interpretation of "add one to a group element" 
in a group. 

Since the original SRP protocol is based on a field and uses both field opera- 
tions of addition and multiplication, there is no direct translation of SRP from 
the group Z* to ECC-based groups. The above generalization SRP5 of SRP6 
can be implemented over ECC groups. 

Lee and Lee [H] have tried to design ECC-based SRP protocols and intro- 
duced four ECC-based SRP protocols EC-SRP1, EC-SRP2, EC-SRP3, and 
EC-SRP4. They used completely different key authentication steps (that is, 
the steps (5) to (7) are different). The key steps in their protocols are the dif- 
ferent instantiations of the ideal cipher. That is, they recommended replacing 
the message 3/3 + g y in the fourth step of the SRP protocol with the following 
messages: 

(1) 0» for EC-SRP1. 
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(2) g a ■ g x y for EC-SRP2. 

(3) (g x - a ) y for EC-SRP3. 

(4) (gx-a+y for EC-SRP4. 

The keying material K is the same as that in the original SRP protocol, i.e., 
K = SRA(g y( - x+uv ^>). It is straightforward to check that the protocol EC-SRP1 
is insecure against off-line dictionary attacks. 



6 Conclusions 

In this paper, we presented several examples of real ciphers that would re- 
sult in broken instantiations of the idealized AuthA and OEKE protocols. 
Our results show that one should be extremely careful when designing or 
implementing password-based protocols with provable security in idea-cipher 
models: a provable security in ideal-cipher model does not necessarily say that 
the instantiation of the protocol is secure. 
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